Sysadmins rejoice! Patch rampage killing off nasty DDoS attack vector

Server fleet open to NTP attack drops from 400k to just 17,000

Sysadmins rejoice! NSFOCUS researchers say hundreds of thousands of Network Time Protocol (NTP) servers have been patched, reducing the threat from some devastating and cheap distributed denial of service (DDoS) attacks.

The patching rampage saw the number of vulnerable NTP servers drop from 432,120 at the start of the year to 17,647 in May.

The sharp decline followed alerts by Computer Emergency Response Teams (CERTs) and the media to a rise in powerful NTP reflection DDoS attacks that deluged websites and servers with record levels of junk traffic.

Using NTP servers for DDoS attacks offers resourced-starved assailants huge bang for buck. Small packets can be sent to insecure NTP servers, normally used to synchronise clocks, which would then return an amount of data magnified many hundred-fold to a target of the attacker's choosing.

Patches closed off or restricted monlist functions used in the attacks which normally provided a list of the previous 600 boxes that communicated with a NTP server. Villains would spoof monlist requests from victim machines which would then be heavily DDoSed.

NSFOCUS wrote in a report that the patching effort was laudable but more work needed to be done.

"The decline in vulnerable servers indicates that many network and system administrators have taken the necessary steps to disable or restrict monlist functions; however proper steps should be taken to ensure the rest of the vulnerable servers are protected," the company wrote.

"US-CERT and Network Time Protocol strongly advise system administrators to upgrade ntpd to version 4.2.7p26 or later. Users of earlier versions of 4.2.7p26 should either use noquery in the default restrictions to block all status queries, or use disable monitor to disable the ntpdc – c monlist command while still allowing other status queries." ®